[Pdns-users] PowerDNSSEC Progress: ready for a first look

Frank Louwers frank at openminds.be
Fri Jan 7 08:49:45 UTC 2011

would be an excellent "way into dnssec".

This wouldn't require any change to the existing (non-dnssec) powerdns setups, and would allow us to test with "real" things, easily migrate single domains to a dnssec setup (just change the nameservers), rollback when needed to the old and tested setup etc.

Am I correct that this would only work via AXFR style transfers from the non-dnssec pdns to the new pdns-dnssec slaves?


On 06 Jan 2011 wk 1, at 20:00, bert hubert wrote:

> On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote:
>> Excellent!  BTW, can PowerDNSSEC operate in the following way as one would expect:
>> PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka
>> traditional PowerDNS) providing data to PowerDNS slaves.  If you use the
>> new code with a compatible backend on the slaves (such as gsqlite3), and
>> your whois servers only point to those slaves, will it work?
> Almost! If you did that up till just now, you would have had to run 'pdnssec
> rectify-zone' on your slaves after each AXFR.
> However, thank you for raising this idea, this sounds like a very valid use
> case.
> It has just been implemented in changeset
> http://wiki.powerdns.com/trac/changeset/1819
> I tested it against an ancient server, and now I have a fully
> operational DNSSEC zone!
> It works fully automatic on retrieving a zone for which we have local keying
> material.
> In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a
> bit like 'phreebird'. http://freshmeat.net/projects/phreebird
> 	Bert
>> Thanks,
>> = Matt
>> On Jan 6, 2011, at 10:13, bert hubert wrote:
>>> Dear PowerDNS Community,
>>> With the help of many of you, we've now brought 'PowerDNSSEC' to the point
>>> where it might make sense for you to trial it on test domains.  We expect to
>>> make move some of our own important domains over to PowerDNSSEC early next
>>> week. PowerDNS.COM underlies the commercial DNS hosting service 'Express',
>>> and may have to wait a bit longer.
>>> To test, head over to http://www.powerdnssec.org (which of course is powered
>>> by PowerDNSSEC). More information is on
>>> http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started,
>>> and how to get help.
>>> In brief, PowerDNSSEC will allow you to continue operating as normal in many
>>> cases, with only slight changes to your installation. There is no need to
>>> run signing tools, nor is there a need to rotate keys or run scripts.
>>> Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic
>>> SQLite3, you should have an easy time. A small schema update is required,
>>> plus an invocation of 'pdnssec secure-zone domain-name && pdnssec
>>> rectify-zone domain-name' per domain you want to secure. And that should be
>>> it.
>>> Supported are:
>>> 	* NSEC
>>> 	* NSEC3 in ordered mode (pre-hashed records)
>>> 	* NSEC3 in narrow mode (unmodified records)
>>> 	* Zone transfers (for NSEC)
>>> 	* Import of 'standard' private keys from BIND/NSD
>>> 	* Export of 'standard' private keys
>>> 	* RSASHA1
>>> 	* "Pure" PostgreSQL, SQLite3 & MySQL operations
>>> 	* Hybrid BIND/PostgreSQL/SQLite3/MySQL operation
>>> To join the fun, download the tarball which can be found on the sites above,
>>> and let us know how it works for you!
>>> To clarify, we do not recommend taking the current code snapshot into
>>> production, but we are getting close.
>>> Kind regards,
>>> Bert
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


Frank Louwers
Operations -- Openminds bvba	    http://openminds.be
frank at openminds.be			            +32.9 225 82 91

Schrijf je nu in op onze nieuwsbrief:   http://openminds.be/nieuwsbrief

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110107/b74aa741/attachment-0001.html>

More information about the Pdns-users mailing list